Mailing List Archive

Hello Martin,

Il 01 febbraio 2023 alle 10:32 Martin ha scritto:
> More and more I see messages which are signed - but the author didn't
> store his public key on a keyserver (eg. hkps://keys.openpgp.org) -
> sometimes a footnote in the massages gives a link where the key could
> be downloaded. Sometimes this link has a bad or strange https
> certificate...
>
> What are the reasons for such a procedure and what is the advantage?

Keyserver records are public and spammers can scan those (although:
a) in 2022 I wonder if there is still much value in email spamming and
b) some servers are taking countermeasures).

This could be a reason why some people prefer not to upload their public
key to keyservers.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

On Wed, 1 Feb 2023 10:32:41 +0100
Martin <martin@postzone.org> wrote:

> Hello
>
> Perhaps my question is strange an silly ;-)
>
> More and more I see messages which are signed - but the author didn't
> store his public key on a keyserver (eg. hkps://keys.openpgp.org) -
> sometimes a footnote in the massages gives a link where the key could
> be downloaded. Sometimes this link has a bad or strange https
> certificate...
>
> What are the reasons for such a procedure and what is the advantage?
>

That sometimes happen to me, my key is available at my domain but
sometimes codeberg pages freaks out a bit, fails to recognize my custom
domain and serves the *.codeberg.pages certificate, sorry about that, in
case you're talking about my key it is also at the Ubuntu keyserver:
keyserver.ubuntu.com (I used to have that on my sig).

There's not much you can do in those situations. There's not
really much in the way of an advantage compared to downloading from a
keyserver when searching by the key ID.

--
Current PGP KeyID: 11ADE4393600C1BDFFCBC0A598DE15942B08CA00

https://blueselene.com/pgp-archive/11ADE4393600C1BDFFCBC0A598DE15942B08CA00/key.pub

For up-to-date information on my crypto keys see
https://blueselene.com/crypto.html

On Wed, 1 Feb 2023 13:01:21 +0100
Alex <alex@blueselene.com> wrote:

> There's not much you can do in those situations. There's not
> really much in the way of an advantage compared to downloading from a
> keyserver when searching by the key ID.

Correction: It can help if there are collisions, software should not
assume that Key IDs are unique
(https://www.rfc-editor.org/rfc/rfc4880#section-3.3).

--
Current PGP KeyID: 11ADE4393600C1BDFFCBC0A598DE15942B08CA00

https://blueselene.com/pgp-archive/11ADE4393600C1BDFFCBC0A598DE15942B08CA00/key.pub

For up-to-date information on my crypto keys see
https://blueselene.com/crypto.html

Hello,

Apart from the use of keyserver, it is relatively easy and highly
recommended to use WKD (Web Key Directory) for PGP-Keys.
Another alternative is DNS OPENPGPKEY Record.

regards
Juergen

Am 01.02.23 um 10:32 schrieb Martin:
> Hello
>
> Perhaps my question is strange an silly ;-)
>
> More and more I see messages which are signed - but the author didn't
> store his public key on a keyserver (eg. hkps://keys.openpgp.org) -
> sometimes a footnote in the massages gives a link where the key could
> be downloaded. Sometimes this link has a bad or strange https
> certificate...
>
> What are the reasons for such a procedure and what is the advantage?
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-users

--
/¯\ No |
\ / HTML | Juergen Bruckner
X in | juergen@bruckner.email
/ \ Mail |

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Alex,

Wednesday, February 1, 2023, 1:01:21 PM, you wrote:

> There's not much you can do in those situations. There's not
> really much in the way of an advantage compared to downloading from a
> keyserver when searching by the key ID.

It just seemed like a contradiction to me if a key for security
reasons should be downloaded from a website with an insufficient
certificate ;-)

- --
Best regards,
Martin
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE92uV/w2x7WB1p4XLsdyR185C444FAmPaiooACgkQsdyR185C
444E1Af9Eb7h9Kmqalk27WwprTx/fW/GK/m5HXdKLKLXtNbKbkGKu1f2lXEj3R6p
zlLC3npYgAr1ZPNT0H1G/1fHo8E4s8XeJRN8Lli216conbqX0KoY3OhC7vIMMpl7
3OgQXbEqPLBDZaFTmITHA6xCq5BN0jB+JGXKgWKBLEJUvyEfzgIY6jYqw1U7ng2a
55xSm2HQPCjhkoZnkZvj4fjuOzgSlID/v5g/yT9xZgMDUKBFuaejkg1NJ4OJXehb
OCTlC13O1dcbK+4Qe/aTBbnkjz7wLyUk7rdLN+uSW8MBA5wX22L4PERblVWYVTeT
/Gdu6xoPWfMwK4RNsmzQxRIpzy4ZCg==
=v7z2
-----END PGP SIGNATURE-----


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

On Wednesday, February 1, 2023 5:33 PM, Martin wrote:
> Hello
>
> Perhaps my question is strange an silly ;-)
>
> More and more I see messages which are signed - but the author didn't
> store his public key on a keyserver (eg. hkps://keys.openpgp.org) -
> sometimes a footnote in the massages gives a link where the key could
> be downloaded. Sometimes this link has a bad or strange https
> certificate...
>
> What are the reasons for such a procedure and what is the advantage?

Even if the key is uploaded to a keyserver, we are faced with the new
problem of which server we can get it from (it is well known that
keys.openpgp.org is not synchronized with other keyservers, and I think
there are more such cases).

For users with custom domain email addresses, it may be a good idea to
publish PGP public keys using WKD (Web Key Directory), which solves the
problem of where to find the keys (find from your email address domain).
But for the average user, I think providing a key download link is probably
the easiest and most feasible solution.

On Wed, 1 Feb 2023 16:51, Martin said:

> It just seemed like a contradiction to me if a key for security
> reasons should be downloaded from a website with an insufficient
> certificate ;-)

That is not really a matter. X.509 certificates as well as PGP keys are
self-contained. All OpenPGP applications check the integrity of newly
imported keys.

However, only the integrity can be checked but not whether the key
actually belongs to the entity it claims it belongs to (validity or
trust). Thus you either need to verify the fingerprint of the key or
use signature on the key issued by keys you already validated (cf. Web
of Trust, trusted introducer).


Salam-Shalom,

Werner

--
The pioneers of a warless world are the youth that
refuse military service. - A. Einstein

Hey list,
> Keyserver records are public and spammers can scan those

Just quickly noting, since keys.openpgp.org was mentioned at the
beginning of the thread:

For traditional (sks-style) keyservers, it is true that the list of all
certificates
and email addresses is public, and must be by design. For keys.openpgp.org
specifically, this full list is not public and never will be in
accordance with
our privacy policy.

Cheers

 - V


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Hello Vincent,

Thursday, February 2, 2023, 12:41:48 PM, you wrote:

> For traditional (sks-style) keyservers, it is true that the list of all certificates
> and email addresses is public, and must be by design. For keys.openpgp.org
> specifically, this full list is not public and never will be in accordance with
> our privacy policy.

Could you please explain this, I don't understand really. So there are
public and no public keys on the this key-server? Who decides that a
key is public or non-public? Who or how can I request a non-public
key?

Martin

Hi Martin,

> Could you please explain this, I don't understand really. So there are
> public and no public keys on the this key-server? Who decides that a
> key is public or non-public? Who or how can I request a non-public
> key?
Sorry, that wasn't as clear as it could have been. There are no
non-public keys, all keys are still publicly available, and can be
retrieved by fingerprint or email address. You just can't retrieve
all keys or email addresses as a full list, which makes it a far
less interesting target for spammers.

Cheers

 - V



_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Hello Vincent,

Ok - that is clear now. I never had the idea to get a "whole list"
from a key server but I didn't understand why people let access their
key only on their own website.

Martin

Thursday, February 2, 2023, 9:45:53 PM, you wrote:


>> Could you please explain this, I don't understand really. So there are
>> public and no public keys on the this key-server? Who decides that a
>> key is public or non-public? Who or how can I request a non-public
>> key?
> Sorry, that wasn't as clear as it could have been. There are no
> non-public keys, all keys are still publicly available, and can be
> retrieved by fingerprint or email address. You just can't retrieve
> all keys or email addresses as a full list, which makes it a far
> less interesting target for spammers.


_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

Hello Martin,

so I think these people want to make it as easy as possible for others
to get the public key. I also make my keys available on my website and
via WKD and DNS.
From my point of view it is also a kind of security for people who want
to write to me that they have my real key - and not a fake one.

regards
Juergen

Am 03.02.23 um 11:16 schrieb Martin:
> Hello Vincent,
>
> Ok - that is clear now. I never had the idea to get a "whole list"
> from a key server but I didn't understand why people let access their
> key only on their own website.
>
> Martin
>
> Thursday, February 2, 2023, 9:45:53 PM, you wrote:
>
>
>>> Could you please explain this, I don't understand really. So there are
>>> public and no public keys on the this key-server? Who decides that a
>>> key is public or non-public? Who or how can I request a non-public
>>> key?
>> Sorry, that wasn't as clear as it could have been. There are no
>> non-public keys, all keys are still publicly available, and can be
>> retrieved by fingerprint or email address. You just can't retrieve
>> all keys or email addresses as a full list, which makes it a far
>> less interesting target for spammers.
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> https://lists.gnupg.org/mailman/listinfo/gnupg-users

--
/¯\ No |
\ / HTML | Juergen Bruckner
X in | juergen@bruckner.email
/ \ Mail |

(top posting on purpose)

While reading your message and assuming, just as a principle, that I (= whatever user) would like to get your public key, how do I know your website so that "people who want to write to me that they have my real key - and not a fake one" ?

(your message below)

Cristi


În data de Fri, 3 Feb 2023 12:06:23 +0100, Juergen M. Bruckner via Gnupg-users a scris:

> Hello Martin,
>
> so I think these people want to make it as easy as possible for
> others to get the public key. I also make my keys available on my
> website and via WKD and DNS.
> From my point of view it is also a kind of security for people who
> want to write to me that they have my real key - and not a fake one.
>
> regards
> Juergen
>
> Am 03.02.23 um 11:16 schrieb Martin:
> > Hello Vincent,
> >
> > Ok - that is clear now. I never had the idea to get a "whole list"
> > from a key server but I didn't understand why people let access
> > their key only on their own website.
> >
> > Martin
> >
> > Thursday, February 2, 2023, 9:45:53 PM, you wrote:
> >
> >
> >>> Could you please explain this, I don't understand really. So
> >>> there are public and no public keys on the this key-server? Who
> >>> decides that a key is public or non-public? Who or how can I
> >>> request a non-public key?
> >> Sorry, that wasn't as clear as it could have been. There are no
> >> non-public keys, all keys are still publicly available, and can be
> >> retrieved by fingerprint or email address. You just can't retrieve
> >> all keys or email addresses as a full list, which makes it a far
> >> less interesting target for spammers.
> >
> >
> > _______________________________________________
> > Gnupg-users mailing list
> > Gnupg-users@gnupg.org
> > https://lists.gnupg.org/mailman/listinfo/gnupg-users
>


--
Cristian Secar?
https://www.secarica.ro

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users

În data de Fri, 10 Feb 2023 14:46:48 +0200, Cristian Secar? a scris:

> (your message below)

There was also a signature, that only contains an e-mail address:

/¯\ No |
\ / HTML | Juergen Bruckner
X in | juergen@bruckner.email
/ \ Mail |

Or, should one copy the e-mail domain part and check to see if the e-mail domain correspond to a web page ? This domain extension even sounds a bit strange for a *web* page.

(my question is just a curiosity)

Cristi

--
Cristian Secar?
https://www.secarica.ro

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
https://lists.gnupg.org/mailman/listinfo/gnupg-users